Make Credential Manager calls on behalf of other parties for privileged apps

Privileged apps such as web browsers can make a Credential Manager call on behalf of other relying parties by setting the origin parameter in Credential Manager's GetCredentialRequest() and CreatePublicKeyCredentialRequest() methods.

The origin represents the application or website that a request comes from, and is used by passkeys to protect against phishing attacks. An app's servers are required to check the client data origin against an allowlist of approved apps and websites. If the server receives a request from an app or website from an unrecognized origin, the request should be rejected. This document describes how to set the origin for such privileged calling apps, and how to verify such apps are allowed to make calls on behalf of other parties.

Set the origin of the calling app

To get credentials on behalf of another relying party, the credential provider that supplies the credentials must add your app to a list of privileged callers that are allowed to get such access. Then, use setOrigin() on createCredential() and getCredential() requests to set the origin value.

For privileged apps such as web browsers that need to handle third party credentials, Google Password Manager requires approval to handle those credentials. This ensures that only trusted apps are able to access and manage user credentials for external services. To be approved for handling third party credentials, complete the request form to open a ticket and have your request reviewed.